1

I am using bcrypt to hash my passwords and it seems that symfony2 authentication system is not production the same hash as php's native crypt function. Bellow is the salt that I am generating for my user password:

 $salt = '$2y$13$' . substr(md5(uniqid(rand(), true)),0,21) . '$';
 $this->setPassword('test',$salt);

In my security.yml file I am simply doing:

encoders:
    Blogger\BlogBundle\Entity\User:
        algorithm:  bcrypt
        iterations: 13

Is there any reason why the two encoding methods would generate different hashes? The library I am using is ircmaxell/password-compat.

Improve this question
3
  • please provide the code you used for testing the crypt function. maybe it's the number of iterations? Commented Jun 24, 2013 at 0:11
  • 1
    Wich version of Symfony? Additionally, why are you setting the salt manually? And yet additionally, why are you generating the salt in such a horrific manner? Symfony will do this for you. Why are you trying to make it more difficult than it needs to be? Proof: Symfony's Source Code Commented Jun 24, 2013 at 0:33
  • It is an intended behaviour, that you get a different hash-value every time, because you generate a different (random) salt for every calculation. This way an attacker cannot tell, whether two users have entered the same password. If you want to test the hashing, then just test if the verification fails/succeeds. Commented Jun 24, 2013 at 7:02

2 Answers 2

Reset to default
3

Best way to use this within Symfony2 is to use get the encoder.

use \Blogger\BlogBundle\Entity\User;

$user = new User();

$encoderFactory = $this->get('security.encoder_factory');
$encoder = $encoderFactory->getEncoder($user);

$salt = 'salt'; // this should be different for every user
$password = $encoder->encodePassword('password', $salt);

$user->setSalt($salt);
$user->setPassword($password);

If you are using FOSUserBundle, you should use:

use \Blogger\BlogBundle\Entity\User;

$userManager = $this->get('fos_user_manager');

$password = 'password';
$user = new User();
$user->setPlainPassword($password);

$userManager->updateUser($user, true); // second argument tells user manager to flush
Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

1

After reviewing the source code for Symfony2.3 implementation of bcrypt, they use a function called hash_algorithm() and it seems to yield different results than crypt(). Both use $2y$ versions of bcrypt and I had set the cost for both algorithms to 13 ... however it is more consistent to do the following for setting passwords instead:

$user->setPassword(password_hash($user->getPassword(), PASSWORD_BCRYPT, array('cost' => 13)));

That line of code seemed to fix my problem. The best part is that I don't even have to generate my salt any more.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.